The enforcement of POPI

01 Oct 2020

“Big brother is watching”.

With the long awaited enforcement of the Protection of Personal Information Act (POPI) on 1 July 2020, this scenario is now highly unlikely.

Nevertheless, do you ever get one of these types of calls –  “Hello Mrs./Mr. X, we are calling from ABC Company and you have qualified for a massive discount on our range of cookware” (or something similar) and wonder when on earth you ever shopped at ABC Company and how on earth they got your information? A definite uneasiness follows wondering how your privacy has been breached.

Well, this may be something of the past. Or at least, that is the intention.

What is POPI?

Not a flower (a poppy), POPI is South Africa’s data privacy law and it stands for the Protection of Personal Information Act, No 4 of 2013. It is also sometimes referred to as POPIA, the abbreviations being seemingly interchangeable. It is South Africa’s answer to the European Union’s General Data Protection Regulation (GDPR) and it gives effect to section 14 of the Constitution which provides that everyone has the right to privacy. It is intended to safeguard personal information whilst balancing that right against other rights such as the right of access to, and the free flow of information. A difficult balancing act, you must admit. And this is reflected in the complex nature of POPI.

But what does POPI actually do?

POPI regulates the processing, management, storage, and protection of personal information to protect the right to privacy of the individual, protecting against identity fraud. According to Francis Cronje in the article No more hiding as POPI Act kicks off on 1 July –

“The purpose of the law is to ensure all South African institutions conduct themselves in a responsible manner when collecting, processing, storing and sharing another entity’s personal information by holding them accountable should they abuse or compromise personal information in any way”.

But, whilst the Act is complex, it will bring South Africa into a new era in the regulation of how private and public sector organisation’s handle the data and personal information of customers and clients. Seemingly bringing an end to the incessant impromptu sales calls as POPI strictly prohibits unsolicited direct marketing. According to POPI Act Compliance –

“Section 69 of POPI outlaws direct marketing by means of any form of electronic communication unless the data subject has given their consent. Such an electronic communication obviously includes emails, SMSs and automatic calling machines.  A subject can only be approached once to obtain such a consent. Once such consent is refused, it is refused forever.

Slightly different rules apply if the subject is a customer.  Here the customer’s contact details must have been obtained in the context of the sale of a product or a service, the direct marketing by electronic communication can only relate to the suppliers own similar products or services, and the customer must have been given the right to opt out at the time that the information was collected and each time such a communication is sent”.

Who does POPI apply to?

POPI is applicable to any person, business or entity that processes personal information of data subjects, for example profit companies, non-profit companies, hospitals and medical practitioners, medical schemes, insurers, attorneys, estate agents, government departments, state owned companies and entities and municipalities (collectively referred to as “responsible parties”), and also to any person, business or entity that processes personal information on behalf of a responsible party, for example IT vendors or medical scheme administrators (referred to as “operators”).

Wait, what are data subjects?

Data subjects are the natural persons or juristic persons whose personal information is processed by responsible parties and operators. Data subjects range from being clients, members or subscribers of responsible parties, to employees.

As far as businesses or entities are concerned, POPI applies to every business in South Africa (even international companies that do business in South Africa) that collects, uses, stores or destroys (referred to as “processing”) personal information from a data subject, whether or not such processing is automatic. 

But what actually is processing?

Processing involves anything that is done with personal information and includes the collection, use, storage, dissemination, modification or destruction of personal information. According to the article POPI Act officially in effect, the following are important information processing principles:

“Accountability: Businesses must ensure that the information processing principles are adhered to.

Processing restriction: Processing must be done lawfully, and personal information may only be processed if it is sufficient, relevant and not excessive given the purpose for which it is processed.

Specific purpose: Personal information must be collected for a specific, defined and legal purpose in relation to a function or activity of the business concerned.

Transparency: Certain prescribed information must be provided to the data subject by the business, including the information collected, the name and address of the responsible party, the purpose for which the information is collected and whether the information provided by the data subject is voluntarily or mandatory.

Further processing restrictions: This is where personal information of a third party is received and transferred to another responsible party for processing.

Security measures: The business must protect the integrity of the personal information in its possession and under its control by ensuring that measures are in place to prevent loss of, damage to or unauthorised destruction of personal information.

Data subject participation: A data subject has the right to: request personal information that the business holds for free; 2. update or destroy personal information that is incorrect, irrelevant, superfluous, misleading or unlawful; and 3. destroy a record of personal information that is unnecessary for the business to keep”.

Organisations (whether they be public, private, big or small), and anyone processing personal information, will have to align their processing activities to POPI. Therefore it is imperative that the processing of personal information is done in a lawful manner. Organizations therefore need to ensure the safety of the information they have access to, protecting individuals from data breaches and information theft (remember the “Japan Heist”)?

What exactly is personal information?

The definition of “personal information” includes a person’s Identity number, email address, phone number, marital status, biometrics, employment history, banking information, health-related information, and data related to their economic status, personal views and private correspondence. This also includes online identifiers such as IP addresses and cookies, which are deemed personally identifiable information.

And a data breach?

A data breach is not defined in POPI but according to Wikipedia, “a data breach is the intentional or unintentional release of secure or private/confidential information to an untrusted environment. It is a security violation in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen or used by an individual unauthorized to do so”.

According to Cliffe Dekker Hofmeyer, POPI: Questions & Answers, “where a data breach occurs, there exists an obligation on the responsible party to report the breach to (i) the Information Regulator; and (ii) the affected data subject (subject to certain limitations).The notification must be made in writing as soon as reasonably possible after the discovery of the data breach. The notification must provide the data subject with sufficient information to allow the data subject to take protective measures against the potential consequences of the data breach. Under POPI, companies will have a legal obligation when they have experienced data breaches, to inform the individuals and companies whose data has been compromised

The important thing to remember here is that POPI protects data subjects from harm, like theft and discrimination. Therefore the risks of non-compliance (like collecting email addresses via a web form, saving a list of clients’ addresses, sending marketing messages or communication to people) include reputational damage, fines and imprisonment (which, can result in fines of up to R10 million and a jail sentence of up to 10 years, depending on the seriousness of the breach). In addition, a business could be liable to pay damage claims to data subjects. Which is definitely something to avoid.

How do I avoid non-compliance with POPI?

Responsible parties and operators will according to Section 114(1), have one year after 1 July 2020 to become fully compliant with POPI. This means that they will have to take the necessary measures to ensure that any personal information of data subjects that they process is appropriately protected against loss or unauthorised access by third parties.

What are the first practical steps I should take to avoid non-compliance?

Law firm, Werksmans sets out the 7 fundamental ports of reference on the road to POPI compliance effectively in an easy to understand infograph –

And it is imperative, whilst conducting your POPI compliance audit, to remember cybersecurity. Werksmans, believes that cybersecurity should be at the heart of your POPI audit. Why? Well, part of personal information security is cybersecurity, which refers to the practice of ensuring the integrity, confidentiality, and availability of information. And it is vital as the world relies on technology more than ever before.

“As a result, digital data is created at a pace never thought possible. Today, businesses and governments store a great deal of that data on computers and transmit it across networks to other computers and countries”.

But it is not all doom and gloom for businesses, POPI provides the opportunity to analyse and have more control over the data handled within your organisation and to better understand its purposes. As data is an increasingly valuable resource, better data management can increase the efficiency and effectiveness of any business. It essentially boils down to a comprehensive and ongoing information management process.

With service providers such as AJS, offering comprehensive practice management and cloud hosting services, they can assist in keeping your systems completely ransomware resistant. This suite of services supports your information management process by not only keeping cyber security top of mind but also ensuring client information is safe from “prying eyes” and data breaches. A cloud hosting service, such as the one provided by AJS, will also support the requirements for a disaster recovery plan by ensuring that, in the unlikely event of a data breach, compromised data will be easily recoverable.  In addition, it will aid your investigation into the cause of the data breach and the effectiveness of the response thereto. A powerful tool in your data protection arsenal.

And that should be embraced.

But what if I am in the business of the “Internet of things”?

The “Internet of things” is defined by Forbes.com as

“the concept of basically connecting any device with an on and off switch to the Internet (and/or to each other)”. Examples of this include: Smartwatches such as the Apple Watch which have enabled text messaging, phone calls, and so on; Wearable Technology such as the Fitbit which tracks your activity, exercise, food, weight and sleep, and wirelessly transmits this data to computers and smartphones, and Smart Speakers such as the Amazon Echo which consists of a voice-controlled personal assistant called Alexa, which users can instruct to perform a variety of functions, such as play music, provide a weather report, get sport’s scores, order an Uber, and more”.

According to the article Data protection and security as it relates to the Internet of Things, Law firm Kisch IP, has identified possible risks that may evolve (from a data security perspective) from using devices related to the “Internet of Things” and these include –

1. “A lack of built-in security in Internet of Things devices;
2. Susceptibility to hacking as the copious amounts of data generated by Internet of Things devices opens up more entry points for hackers;
3. Spying by companies using Internet of Things devices in order to obtain consumer behaviour data, for example, insurance companies accessing health information which may be used to make decisions about premiums;
4. Commercial spying by competitors to unlawfully acquire business information in order to obtain a competitive advantage; and
5. Software applications and network connections used in conjunction with Internet of Things devices may lack security.

 POPI, as a result, requires that businesses making “Internet of Things” devices take appropriate, reasonable, technical and organisational measures to prevent loss of, damage to, unlawful access to, collection, retention, dissemination, use of or the unauthorised destruction of personal information. In doing so, Kisch IP has outlined that businesses must: 

1. “Identify all reasonably foreseeable internal and external risks to personal information in its possession or under its control;
2. Establish and maintain appropriate safeguards against the risks identified;
3. Regularly verify that the safeguards are effectively implemented, and
4. Ensure that the safeguards are continually updated in response to new risks or deficiencies in previously implemented safeguards”.

 Importantly, there is a duty placed on these businesses to have due regard to generally accepted information security practices and procedures which may apply to them generally or which are required in terms of industry or professional rules and regulations which may be applicable to them specifically. In addition, where there has been a known data breach or if there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by any unauthorised person, the business must notify the Information Regulator and any party whose information was unlawfully accessed or acquired.

In closing

The above information, in no way amounts to legal advice in any form and is for information purposes only. As is quite evident from the above, the complexities around data protection and data privacy is best done by experts properly equipped to give legal advice on POPI that is clear, accurate, and future-focused keeping in mind the balance between service to clients and markets and obligations under POPI. With a year to become compliant, get in touch with appropriate legal advisers as soon as possible to get the ball, well and truly, rolling.

See also:

• Cloud hosting – Managed or traditional?
• Is your organisation POPIA ready?
• POPIA: Focus on consent and legitimate interest
• The role of directors in the age of cybercrime
• 6 tips for easy POPIA compliance
• The search for your Information Officer begins now

(This article is provided for informational purposes only and not for the purpose of providing legal advice. For more information on the topic, please contact the author/s or the relevant provider.)